DmitriyLewen

> This condition works only for major version, because backport branch usually doesn't contain a Helm Chart update. Oh... You said current behavior. I thought it was new logic. then...

> a new PR: https://github.com/afdesk/trivy/pull/72 IIUC author of PR should be `aqua-bot` (as for backport (e.g. https://github.com/aquasecurity/trivy/pull/7521))

> it seems it depends on token owner you said this and I realized that most likely you are right and I have already encountered this 👍

Hello @DicksenT you also need update `unmarshal` logic: https://github.com/aquasecurity/trivy/blob/72ea4b0632308bd6150aaf2f1549a3f10b60dc23/pkg/sbom/spdx/unmarshal.go#L186-L196 You need to add testcase (as in https://github.com/aquasecurity/trivy/pull/9126/files#diff-b17fc40bdfbe923285c5951b6ff7243b43dddedfa22eb0a5967d695268096a87). This test case will help you to update logic.

you need: - add function to convert spdx.Checksum into digest.digest - save checksums from `package` or `Files` - add tests for both cases something like that: ```diff diff --git a/pkg/sbom/spdx/testdata/happy/package-hashes.json...

Hello @DicksenT I updated this PR.

Hello @DicksenT We need to discuss https://github.com/aquasecurity/trivy/pull/9130#discussion_r2247119636 But for now you don't need to make any changes.

> We need to find parents from all results. I thought about this solution today. It won't help us Possible cases where this method will be wrong. e.g. ```mermaid graph...

Hello @oneum20 What do you mean? Can you explain in more detail what you mean?

hmm... You are right. Packages from `vendor` directory don't have `go.mod` files. This doesn't matter for license detection (we check LICENSE files), but it will affect the removal of unused...